Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/stephane-martin/vault-exec

Execute a command with environment variables set from Vault
https://github.com/stephane-martin/vault-exec

golang unix vault

Last synced: 5 days ago
JSON representation

Execute a command with environment variables set from Vault

Host: GitHub
URL: https://github.com/stephane-martin/vault-exec
Owner: stephane-martin
License: apache-2.0
Created: 2019-02-20T12:55:03.000Z (over 5 years ago)
Default Branch: master
Last Pushed: 2019-07-31T21:02:20.000Z (over 5 years ago)
Last Synced: 2024-04-29T00:11:21.978Z (7 months ago)
Topics: golang, unix, vault
Language: Go
Size: 2.97 MB
Stars: 1
Watchers: 2
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# vault-exec

`vault-exec` is a helper tool for Hashicorp's Vault. It is similar to `envconsul`: `vault-exec`
reads some secrets from Vault, sets the corresponding environment variables, and executes
a command.

Differences from `envconsul`:

- `vault-exec` can not read key/values from consul. Only from Vault.
- `vault-exec` supports various Vault authentication schemes: token, userpass, approle, ldap.
- by default `vault-exec` does not prefix environment variable keys with the secret keys.

After authentication, `vault-exec` gets a token from Vault. `vault-exec` automatically renews
the token. When the token finally expires, the command is terminated and `vault-exec` stops.

If a secret read from Vault is renewable, `vault-exec` automatically renews the secret. When
a secret finally expires, `vault-exec` terminates the command, rereads the secrets from Vault,
and then restarts the command.

Please note that Vault does not support "watching" a secret, contrary to consul. If you
modify a secret in Vault, `vault-exec` won't be aware of the change before the end of the
expiration period.

# Compilation

`vault-exec` is written in pure Go. It uses `dep` as a dependency manager. The dependencies
are committed in git. There is provided `Makefile` to set the appropriate compilation options.
So do something like :

```bash
mkdir -p ~/go/src/github.com/stephane-martin
cd ~/go/src/github.com/stephane-martin
git clone https://github.com/stephane-martin/vault-exec
cd vault-exec
make release
```

# Installation

For Linux you van just grab the provided binary in the releases section. It is
compiled statically.

# Usage

see `vault-exec --help`.

Most options can be set through environment variable. In particular:
- `VAULT_ADDR` can point to the HTTP address of the Vault server
- `VAULT_TOKEN` can provide the Vault token for token based authentication.

When using token based authentication, if VAULT_TOKEN is not set, and if the token
is not provided as a command-line option, vault-exec will try to retrieve the token
from `~/.vault-token`.

# Example

```
export VAULT_ADDR=http://127.0.0.1:8200
export VAULT_TOKEN=s.9rYhELGRJzWaCo3m3bV5eWJO
vault-exec --secret secret/my env
```